Lilia - Virus database is updated daily and updated last night. Still seeing one this morning:
Virus Urlhaus.Malware.364328-9787819-0:
https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
1 Time(s)
Though that is a different signature.
Orion
On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> Hi Orion!
>
> Those NBD signatures were updated at the beginning of the week and should not
> FP anymore. Please update your ClamAV db and let us know if the issue
> persists.
>
> Best regards,
>
> Lilia Gonzalez
> Malware Research Team
> Cisco Talos
>
>
> On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <or...@nwra.com
> <mailto:or...@nwra.com>> wrote:
>
> Lilia -
>
> Thanks for the response. We're seeing some others getting triggered as
> well:
>
> Virus Urlhaus.Malware.490516-9766015-0:
> 10.21.2.5
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>: 2
> Time(s)
> 10.21.2.5
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
>
> <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>:
> 2 Time(s)
> 10.21.2.5
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
>
> <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>:
> 1 Time(s)
> 10.21.2.5
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
>
> <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>:
> 1 Time(s)
> 10.21.2.5
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
>
> <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt>:
> 1 Time(s)
>
> Virus Urlhaus.Malware.161756-8797115-0:
> 10.10.20.7
>
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
>
> <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>:
> 1 Time(s)
> 10.11.1.3
>
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
>
> <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>:
> 1 Time(s)
>
>
> Orion
>
> On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Thank you for reporting this. URLhaus is a partner that generates a
> list of
> > ClamAV signatures to target malicious URLs. Signature
> > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> > files, which is why it is alerting on the URLs you mentioned. We found
> these
> > FPs some weeks ago and added an extra check on new ClamAV signatures to
> > prevent them from alerting on legitimate URLhaus content. We are
> currently
> > updating older ClamAV signatures to ensure they don't FP on
> non-malicious
> > HTML files.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <or...@nwra.com
> <mailto:or...@nwra.com>
> > <mailto:or...@nwra.com <mailto:or...@nwra.com>>> wrote:
> >
> > Can anyone give me some details about the
> Urlhaus.Malware.452652-9766253-0
> > signature? We're seeing following URLs trigger it:
> >
> > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>
> > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>>
> >
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
>
> <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>
> >
>
> <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
>
> <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>>
> >
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
>
> <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt>
> >
>
> <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
>
> <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt>>
> >
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
>
> <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>
> >
>
> <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
>
> <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>>
> >
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
>
> <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>
> >
>
> <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
>
> <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>>
> >
> > Which seems to be the online update URLs for the urlhaus filter.
> Does
> > ClamAV
> > deem urlhaus a bad actor?
> >
> > Thanks,
> > Orion
> >
> > --
> > Orion Poplawski
> > Manager of NWRA Technical Systems 720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane or...@nwra.com
> <mailto:or...@nwra.com>
> > <mailto:or...@nwra.com <mailto:or...@nwra.com>>
> > Boulder, CO 80301 https://www.nwra.com/
> <https://www.nwra.com/>
> > <https://www.nwra.com/ <https://www.nwra.com/>>
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> <mailto:clamav-users@lists.clamav.net
> <mailto:clamav-users@lists.clamav.net>>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > <https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
> > <https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>>
> >
> > http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>
> > <http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>>
> >
> >
> > _______________________________________________
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> <https://github.com/vrtadmin/clamav-faq>
> >
> > http://www.clamav.net/contact.html#ml
> <http://www.clamav.net/contact.html#ml>
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane or...@nwra.com
> <mailto:or...@nwra.com>
> Boulder, CO 80301 https://www.nwra.com/
> <https://www.nwra.com/>
>
>
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
